I have a set of users in my OpenLDAP and i wish to get some information from them, for example "cn" and "userPassword".
However when i retrieve these details the password isnt in plain text even though it is set to this in my LDAP server.
Any ideas how to solve this?
The userPassword is generaly store in hashed form
userPassword: {hasAlgorithm}Hashed value
Example :
userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
The userPassword
attribute is allowed to have more than one value, and it is possible for each value to be stored in a different form. During authentication, slapd will iterate through the values until it finds one that matches the offered password or until it runs out of values to inspect. The storage scheme is stored as a prefix on the value
You can have :
CRYPT
This scheme uses the operating system's crypt(3) hash function. It normally produces the traditional Unix-style 13 character hash, but on systems with glibc2 it can also generate the more secure 34-byte MD5 hash
MD5
This scheme simply takes the MD5 hash of the password and stores it in base64 encoded form
SMD5
This improves on the basic MD5 scheme by adding salt (random data which means that there are many possible representations of a given plaintext password). For example, both of these values represent the same password
SSHA
This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd
Conclusion
Most of the time you don't have to recover password, You just have to compute the hash from the password given by the user in the login form and compare it with the one of userPassword
.